The world’s most popular websites [1], according to the Alexa website are the following:

SiteDaily Time on Site (mins:secs)Daily Pageviews per Visitor
Google.com12.2314.56
YouTube.com12:196.96
Tmall.com6:462.88
Qq.com3:434.02
Baidu.com7:184.40
Facebook.com17:187.83
Sohu.com3:444.61
Login.tmall.com5:051.00
Taobao.com4:233.53
360.cn3:163.90

[1] – The sites in the top sites lists are ordered by their 1 month Alexa traffic rank. The 1 month rank is calculated using a combination of average daily visitors and pageviews over the past month. The site with the highest combination of visitors and pageviews is ranked #1

Let us break down each website and take a look at what authentication and multi-factor authentication options are available, for login and forgotten password user flows.

SiteDefault LoginLogin MFA OptionsDefault Password ResetReset Options
Google.comUsername and password; minimum of 8 charactersGoogle Prompt, SMS OTP, Security Key, Recovery Codes, Authenticator AppLast known password; KBA or pre-configured MFA factorKBA, unless MFA enabled
YouTube.comAccount managed by Google – so same as aboveAccount managed by Google – so same as aboveAccount managed by Google – so same as aboveAccount managed by Google – so same as above
Tmall.comAuthentication handled by login.tmall.comAuthentication handled by login.tmall.comAuthentication handled by login.tmall.comAuthentication handled by login.tmall.com
Qq.comPart of Tencent – unable to verifyPart of Tencent – unable to verifyPart of Tencent – unable to verifyPart of Tencent – unable to verify
Baidu.comQR code via app or username and password (8-14 chars, 2 of numbers/letters/punctuation). Mobile required for registrationOTP via registered mobileUsername and reCaptcha, followed by configured MFA. If no MFA configured, requires use of an “appeal” via customer support. This requires QR scan that contains specific URL redirectOTP via registered mobile
Facebook.comUsername and password (min of 6 chars long)OTP via registered mobileCode sent to pre-registered email address
Sohu.comUsername or password (8-16 chars, with alpha numeric and special char support). Mobile number and verification code also supported by defaultOTP via registered mobileMobile phone and verification code or email and codeOTP via registered mobile
Login.tmall.comAuthentication handled by passport.taobao.comAuthentication handled by passport.taobao.comAuthentication handled by passport.taobao.comAuthentication handled by passport.taobao.com
Taobao.com Username and password login availablePart of Alibaba group. Registeration involves reCaptcha and OTP sent to mobile device, with MFA for face, bank card verification and mobile device bindBasic reCaptcha, Face Id, verification code via mobile, bank card reconciliation.Same as login MFA options
360.cnMobile number and password (8-10 chars) or username/email and password (or delivered prompt via QR code)OTP via SMSBasic reCaptcha, email/mobile number, followed by verification code.OTP via SMS

Notes

Google

  • Google Prompt – Android enabled devices, with push notification
  • SMS OTP – one time password sent via verified text message to mobile device
  • Codes – 10, eight digit codes, that are single use, with ability to generate new ones
  • Authenticator app – use of Google authenticator one time password generator
  • Security key – USB or Bluetooth enabled hardware key

Facebook

  • OTP delivered via SMS to registered mobile device
  • Authenticator app – can use the Facebook mobile app that contains a OTP generator, but can also use other support authenticator apps
  • Security key – supports use of USB U2F (FIDO Universal Second Factor) device
  • Recovery Codes – 10, eight digit codes, that are sing use, with ability to generate new ones

Summary

SMS delivered one time passwords, seem to be most popular secondary factor method – even though there have been several pieces of analysis done, indicating the inherent weakness in this approach. The National Institute of Standards of Technologies, deprecated the recommendation of SMS OTP as a secure secondary factor back in 2016.

The simple problem is, SMS is almost universally available – usable in multiple geographies and on multiple phone models, including legacy non-smart devices. The use of a one time password as generated using the OATH protcool within an application, using a shared secret (between the app and the server side site you’re accessing) would seem more secure, but requires liberal use of modern applications and a secure way of sharing the secret – certainly using an encrypted communications channel over TLS 1.2/1.3 which some sites in the above list do not necessarily adhere too.

Other secondary factor options, such as push authentication and WebAuthn, seem in the minority at present, probably due to the dependencies on modern browsers and applications.

Leave a Reply

Your email address will not be published. Required fields are marked *